Upon execution, the sample phones back to hxxp://203.172.238.18:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (AS23974, Ministry of Education, Thailand). The following domain has also responded to this IP in the past: phnomrung.com (Name server: ns1.banbu.ac.th – currently responding to 208.91.197.101).

The main name servers used in the campaign, NS1.CHELSEAFUN.NET and NS2.CHELSEAFUN.NET, are also currently offering their services to the following malicious domains, participating in related campaigns:

We only managed to reproduce performingandroidtoios.info‘s malicious activity. Upon successful client-side exploitation, it drops MD5: fa762aba0abc5ed38a179fcaa6597033 – detected by 24 out of 44 antivirus scanners as PWS:Win32/Zbot.

Once executed, the sample creates the following files on the affected hosts:
MD5: 856A129FBAA3BBEF5B9F0FDDC6629C9D
MD5: 0B452576E3AEC9C0CBB1D68763F8AB44
MD5: 65EAFD7470C2122C519DBA22BF59B2D0
MD5: E56D76F26BD5976234B2D82984944334